idp: docs / cleanup

copyparty/web/splash.js

@@ -50,7 +50,7 @@ for (var k in (d || {})) {
 }
 
 try {
-	if (window.is_idp) {
+	if (is_idp) {
 		var z = ['#l+div', '#l', '#c'];
 		for (var a = 0; a < z.length; a++)
 			QS(z[a]).style.display = 'none';

docs/examples/docker/idp-authelia-traefik/README.md

@@ -21,6 +21,19 @@ incomplete list of modifications made:
 * added a warning that traefik is given access to the docker socket (as recommended by traefik docs) which means traefik is able to break out of the container and has full root access on the host machine
 
 
+# security
+
+there is probably/definitely room for improvement in this example setup. Some ideas taken from [github issue #62](https://github.com/9001/copyparty/issues/62):
+
+* Add in a redis password to limit attacker lateral movement in the system
+* Move redis to a private network shared with just authelia
+* Pin to image hashes (or go all in on updates and add `watchtower`)
+* Drop bridge networking for just exposing traefik's public ports
+* Configure docker for non-root access to docker socket and then move traefik to use [non-root perms](https://docs.docker.com/engine/security/rootless/)
+
+if you manage to improve on any of this, especially in a way that might be useful for other people, consider sending a PR :>
+
+
 # performance
 
 currently **not optimal,** at least when compared to running the python sfx outside of docker... some numbers from my laptop (ryzen4500u/fedora39):

docs/examples/docker/idp-authentik-traefik/README.md

@@ -2,7 +2,7 @@
 > I am unable to guarantee the quality, safety, and security of anything in this folder; it is a combination of examples I found online. Please submit corrections or improvements 🙏
 
 > [!WARNING]  
-> does not work
+> does not work yet... if you are able to fix this, please do!
 
 this is based on:
 * https://goauthentik.io/docker-compose.yml

docs/versus.md

@@ -289,7 +289,7 @@ symbol legend,
 * `curl-friendly ls` = returns a [sortable plaintext folder listing](https://user-images.githubusercontent.com/241032/215322619-ea5fd606-3654-40ad-94ee-2bc058647bb2.png) when curled
 * `curl-friendly upload` = uploading with curl is just `curl -T some.bin http://.../`
 * `a`/copyparty remarks:
-  * single-sign-on, token-auth, and 2fa is possible through authelia/authentik or similar; see TODO:example
+  * single-sign-on, token-auth, and 2fa is *possible* through authelia/authentik or similar, but nobody's made an example yet
   * one-way folder sync from local to server can be done efficiently with [u2c.py](https://github.com/9001/copyparty/tree/hovudstraum/bin#u2cpy), or with webdav and conventional rsync
   * can hot-reload config files (with just a few exceptions)
   * can set per-folder permissions if that folder is made into a separate volume, so there is configuration overhead